An Introduction To ISO 27799 (ISO27799)
The health sector standard, ISO 27799 has now reached 'FDIS ballot' stage within its development cycle (Technical Committee ISO/TC 215). It's publication is therefore well on track, with a proposed title of 'Health Informatics - Security management in health using ISO/IEC 17799'.
The standard itself provides guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO17799/ISO27002. It specifically covers the security management needs in this sector, with respect to the particular nature of the data involved.
The standard takes account of the range of models of service delivery within the healthcare sector, and provide additional explanation with respect to those control objectives within 17799/27002 which require it. A number of additional requirements are also alisted.
It is envisaged that adoption of ISO 27999 will assist interoperation, and better enable the adoption of new collaberative technologies in healthcase delivery.
NOTE: ISO is also developing a health sector standard relating to audit trails for electronic health records. This has been provisionally numbered ISO 27789 / ISO27789. It is not expected to be published until 2009.
CONTENTS OF ISO 27799The content sections are:
- References (Normative)
- Health information security (Goals; Security within information governance; Health information to be protected; Threats and vulneabilities)
- Practical Action Plan for Implementing ISO 17799/27002 (Taxonomy; Management commitment; Establishing, operating, maintinging and improving an ISMS; Planning; Doing; Checking, Auditing)
- Healthcare Implications if ISO 17799/27002 (Information security policy; Organization; Asset management; HR; Physical; Communications; Access; Acquisition; Incident Management; BCM; Compliance)
- Annex A: Threats
- Annex B: Tasks and documentation of the ISMS
- Annex C: Potential benefits and tool attributes
- Annex D: Related standards